1. Securing Digital IdentityAn overview of available technologies and solutions to secure digital identity Jrme Lena IPL Advanced Product Manager j.lena@oberthurcs.com1Securing Digital Identity - 2008 Oberthur Technologies

2. AgendaIdentity and identitiesDigital identity at riskSecuring digital identitySmart card based solutions from Oberthur2Securing Digital Identity - 2008 Oberthur Technologies 3. Identity and identities3 Securing Digital Identity - 2008 Oberthur Technologies 4. What is an Identity? Internal definitionIdentity -noun, plural ties From Latin identidem, contraction of idem et idem, literally the same and the same. The state or fact of remaining the same one or ones, as under varying aspects of conditions. The condition of being oneself or itself and not another. The sense of self, providing sameness and continuity in personality over time and sometimes disturbed in mental illness, as schizophrenia. requires a proof of identityRandom House Unabridged Dictionary, Random House Inc. 20064 Securing Digital Identity - 2008 Oberthur Technologies 5. What is an Identity? External definition Identity defined by an authorityBeginning of modern era : identity proof required onlyfrom mobile people (pilgrims, beggars, messengers)Early days of democracy : France, August 4, 1794, firstlaw in the West fixing identity to birth certificateNowadays : sovereignty and citizenship are the basis ofevery nation-state. requires a seal of authority5Securing Digital Identity - 2008 Oberthur Technologies 6. Identity in a digital worldDigital Identities are used everyday, sometimes all day long Digital identites at work Log on to your PC Logon to a Wifi hotspot Send and receive emails Log on to a Virtual Private Network (VPN) Log on to legacy corporate applications. Digital identites at home Log on to your PC Logon to a Wifi hotspot Send and receive emails with an e-mail client Send and receive web-based emails Chat with instant messaging (Windows Live Messenger, Skype, etc).6Securing Digital Identity - 2008 Oberthur Technologies 7. Identity in a digital worldEvery new internet service requires a new identity Digital identities for e-commerceOnline banking, e-walletsOnline shopping (Amazon, Pixmania,)Online selling/auctions (eBay,) Digital identities for online communitiesSocial networks (Facebook, Myspace, Meetic)Online gaming (Role Playing Games, poker)Online publishing and sharingPhoto hosting, video sharing, blogs7 Securing Digital Identity - 2008 Oberthur Technologies 8. Identity in a digital world while an e-citizen needs a single identity for several internet services.Digital identity for e-government services Income and other taxes declaration Value Added Tax declaration and payment Car registration (online declaration for automobile license) Personal document request and delivery (birth, marriage,) Social services (unemployment benefits, job search, student grants,) Declaration to the police (theft, accident,)8Securing Digital Identity - 2008 Oberthur Technologies 9. Digital identity at risk9Securing Digital Identity - 2008 Oberthur Technologies 10. Digital identity at risk The overexposure threat Have you been Googleized lately?Specialized search engine are now cropping up (eg. Spock)From social networks to social engineeringThe Facebook superhero name information leak* Should one be afraid of digital identity theft?post-industrial society, technotronic or informational will beoverwhelming for the ones mastering it badlyStolen memories (Lorenzi & Le Boucher, 1979)*Article of Paul Johns, Complinet Chief Marketing Officer (2007)10Securing Digital Identity - 2008 Oberthur Technologies 11. Digital identity at riskFigures on identity fraud in the UK*Case of identity and impersonation fraud reported90 00080 00080 00066 00070 00060 000 56 00050 00046 00040 000 34 00030 00024 00020 000 16 000 9 00010 000 0 1999 2000 2001 2002 2003 2004 2005 2006 *CIFAS UKs Fraud Prevention Service 200711 Securing Digital Identity - 2008 Oberthur Technologies 12. Digital identity at riskFigures on identity fraud in the US* In 2006: 8,9 million Americans were victimized by identity fraud. Total cost of identity fraud was $56,6 billion. Average fraud amount per victim : $6 383. Average fraud cost per victim : $422.*Javelin Strategy/Better Business Bureau 2006 Identify Fraud Survey Report.12Securing Digital Identity - 2008 Oberthur Technologies 13. Digital identity at risk How does identity theft happen?* Real world Some controlLost or stolen wallet, checkbook or credit cardMail theft from an unlock mailboxPrivate documents retrieved from trash can (dumpster diving)Information stolen at home (relatives, friends, employees)E-mails, calls or text messages pretending to be a trusted sourceEavesdropping by a criminal while conducting a public transaction(shoulder surfing)Criminal changing address of an accountCorrupt business employee who has access to private dataHacking, viruses, spywareDigital world Data breach at an organization that maintains access to privateNo controlinformation (retailer, school, bank, hospital ) *Ibid.13Securing Digital Identity - 2008 Oberthur Technologies 14. Digital identity at riskThreats to digital identity (some control) E-mail security issues Anybody can create a fake email address E-mail communication provides no confidentiality Wifi security issues WEP encryption has been cracked in January 2001 by the University of Berkeley Any communication going through a free hot-spot can be intercepted E-banking security issues Increasing attacks to steal user name & password (phishing, pharming, drive-by-pharming) Insufficient countermeasures User name & password still widely used Web Image Authentication do not offer real protection for online banking (May 2007 Harvard-MIT report)14 Securing Digital Identity - 2008 Oberthur Technologies 15. Digital identity at riskThreats to digital identity (no control) Generic IT security issue: digital attacks (a.k.a. hacking) For data theft Industrial spying (pricelists, source code, contracts, blueprints, etc) Customer identity theft (credit card data, personal data, login, etc) For other cyber criminal activities To be able to impersonate an identity and carry on anonymously on the internet To use e-mail clients or servers to send spam (spam-farm) To store and share illegal or stolen files To synchronize thousands of computers to disable a web site (DDoD) To use computing power to break encryptions To spread virus, trojans, spywares, etc To sell a complete access to a large company network More on these topics : Dirty Money on the Wires,The Business Models of Cyber Criminals (Virus Bulletin Conference 2006)15 Securing Digital Identity - 2008 Oberthur Technologies 16. Securing digital identity16 Securing Digital Identity - 2008 Oberthur Technologies 17. Securing digital identityIdentificationUnsecure identification Username & password over a clear connection Internet is an open (distributed) environment any data can be interceptedStatic End-userService provider17Securing Digital Identity - 2008 Oberthur Technologies 18. Securing digital identityIdentification, confidentialityIdentification with confidentiality Username & password over an encrypted connectionSSL/TSL https:// + Internet Explorersor FirefoxsInternet is not a controlled environment Users identity is not authenticated Visited web site is not (satisfactorily) authenticatedIdentification with confidentiality and web site authentication Username & password over an Extended Validation SSL connectionInternet is still not a controlled environment Users identity is still not authenticated18 Securing Digital Identity - 2008 Oberthur Technologies 19. Securing digital identityFrom static to dynamic identification Identification can not be done with constant data Any constant data can be intercepted or stolen It can then be replayed An end-user can only provide constant data Something he knows (passwords, PIN) Something he is (biometrics) There is a need for a device between the end-user and the service provider The end-user inputs a static identification (password, PIN, biometrics) to identify himself to the device And the device performs a dynamic authentication with the service provider StaticDynamicEnd-user Device Service provider19Securing Digital Identity - 2008 Oberthur Technologies 20. Securing digital identityIdentification, confidentiality, authentication Identification with confidentiality and user authenticationUsername & password over an encrypted connection,with verification of a shared-secretPaper-based challenge-responseOne time password provided by a time-based dongleSmart card-based EMV authentication Shared secrets must be sharedDistribution of shared secret is complex and riskyMostly suited for one-to-many digital transactionsNot suited for document signing (non-repudiation)20 Securing Digital Identity - 2008 Oberthur Technologies 21. Securing digital identityDigital identity document A digital certificate is an electronic document Linking an entity (person, company) with a public key Carrying a digital signature linked with a public key from a trusted third party Compliant to an international standard (ITU X.509 v203) Users public keyUsers nameEmailExpiration dateEtcIssuersDigital SignatureUsers Digital Certificate Trusted UserThird party21Securing Digital Identity - 2008 Oberthur Technologies 22. Securing digital identityIdentification, confidentiality, authentication, signaturePublic Key Infrastructure (PKI) Worldwide accepted model for securing communications on intranet, extranet, internet Protocols, services and standardsto manage Public Keysto distribute and verify Digital CertificatesTo verify and authenticate the validity of each party involved in a transaction Trusted Trusted User certificate issuercertificate issuer22 Securing Digital Identity - 2008 Oberthur Technologies 23. Securing digital identitySecuring private keys PKI security relies on private keys securityPrivate keys are stored on the users hard diskA desktop PC is protected only by user/password (in best case)On a PC, private keys can be easily stolen or misusedOn a PC, cryptographic calculation can be monitored or tempered with There is a need for a secure deviceTo store private keysTo perform cryptographic calculations Static DynamicEnd-userSecure deviceService provider23 Securing Digital Identity - 2008 Oberthur Technologies 24. Securing digital identitySmart cards to secure PKI For secure data storageSecure storage of private keys, passphrase, PIN or biometrics dataSecure storage of several digital certificates in X.509 formatSecure storage of standardized data for digital identificationXMLDSIG : (XML Digital Signature), SAML : (Markup Language)Secure storage of national/specific data structure (eg. PIV, IAS) For complex calculationsTrue random generatorCryptographic engine (DES, 3DES, RSA, AES, ECC) +=24 Securing Digital Identity - 2008 Oberthur Technologies 25. Securing digital identity Levels of confidence for digital identity Signature toolsSoftware only Smart device + Smart device +Digital Certificate software terminal + delivery mode software Face to face delivery36 9Highest levelof confidence Document-based delivery25 8 Self-registered or self-signed14 7 Lowest level of confidence SecureStaticDynamicEnd-userSecure dataentry device Secure deviceService provider25Securing Digital Identity - 2008 Oberthur Technologies 26. Smart card based solutions from Oberthur26Securing Digital Identity - 2008 Oberthur Technologies 27. Smart card based solutions from Oberthur Smart cart, devices and software to upgrade PKI to smart card securitySmart cardsPrivate key generation & secure storageof credentialsBased on market standardsSmart card readers & USB TokensHardware interface between smart cardsand PC environmentBased on market standards (PC/SC toserial, USB, PCMCIA)Client softwareSoftware interface between smart cardsand Windows Operation SystemsBased on market standards27Securing Digital Identity - 2008 Oberthur Technologies 28. Smart card based solutions from OberthurClassic Smart CardFeatures Contactless Mifare and T=CL interface Contact ISO 7816 interface Support for X.509 digital certificates Support for multiple applicationForm factors Common Criteria EAL 4+ PP SSCD ID-1 smart card SIM-Plug sizeUnited-States NISTUnited- USB TokenFIPS 140-2 Level 3 140-Standards supported Javacard 2.2 with Global Platform 2.1.1.* Compliant with Qualified Electronic Signature as defined by Common Criteria EAL 4+ PP SSCD* (ISO Directive 1999/93/EC of the European Parliament and of theCouncil of 13 December 1999 on a Community framework for 15408) electronic signatures28 Securing Digital Identity - 2008 Oberthur Technologies FIPS 140-2 Level 3 29. Smart card based solutions from OberthurTransparent readers Desktop contact readers Desktop contactless readers Laptop readersCC EAL 3+Enhanced security readers Common Criteria certified Pinpad & LCD Fingerprint biometrics reader29Securing Digital Identity - 2008 Oberthur Technologies 30. Smart card based solutions from Oberthur Client software (middleware)ID-One Classic Mini-driverFor 32 bits and 64 bits versions of Microsoft Vista Compliant with Microsoft new specifications for smartcards (Crypto API Next Generation)Tested and validated by Microsoft Smart CardCertification Center in DublinReferenced and available on-line for instant downloadon Microsoft Update Catalog30 Securing Digital Identity - 2008 Oberthur Technologies 31. Smart card based solutions from Oberthur Client software (middleware)ID-One Classic Middleware (AuthentIC Web Pack)Support for deployed Oberthur smart cardsSupport for PKCS#11 under Windows VistaOperation Systems: Windows 9x Windows Me Windows 2000 Windows 2003 Windows XP Windows Vista 32 bits Linux31 Securing Digital Identity - 2008 Oberthur Technologies 32. Smart card based solutions from Oberthur Contact chipID-One Token for Digital ID Contactless chip for Access Control Desktop readersID-One Classic cardCommon Criteria Laptop readersSecure ChipsSmart Card ReadersEAL 4+ PP SSCDIdentity applications USB Token Secure Pinpad readersUnited-States NISTUnited-FIPS 104-2 Level 3 104-CompCommon Criteria lebringi te solutions EAL 3+n secur g smart ca it y t o r CustomerI-baseddigitaPK l ID syd stemsAdvanced physical security Secure background Security FeaturesInterface to link Invisible ink Personalizationsmart card withID-One Classic minidriver Hologram embedding applications on PC Fulfillment AuthentIC Web Pack middleware for Windows 9x, 2K, 2K3, XP ,Vista Personalization services Secure loginElectronic signatureE-mail encryption32Securing Digital Identity - 2008 Oberthur Technologies 33. Thank you33 Securing Digital Identity - 2008 Oberthur Technologies